Share via

Exchange 2019 - Default Mailflow

Yozuke Hizawa 41 Reputation points
2023-01-03T11:23:46.883+00:00

Hi,
We using Exchange 2019 (Hybrid),
There some question that bugging us.

  1. Why on the receive connector Exchange allowed anonymous users by default ? Since it's allowed spoofing the domain account or any other domain and send to any validate internal user domain.
  2. Is it possible / recommended to remove the anonymous user on Default Frontend transport and put some specific additional receive connector ( with whitelisted IP ) which have anonymous permission ?
  3. If it's not possible, how to tackle / prevent if the source not defined on anonymous receive connector list ? ( this is not possible if the suggestion required to block outbound port 25 on whole network infrastructure )
Exchange | Exchange Server | Other
Exchange | Exchange Server | Other
A robust email, calendaring, and collaboration platform developed by Microsoft, designed for enterprise-level communication and data management.Miscellaneous topics that do not fit into specific categories.
Exchange | Exchange Server | Management
Exchange | Exchange Server | Management
The administration and maintenance of Microsoft Exchange Server to ensure secure, reliable, and efficient email and collaboration services across an organization.
0 comments
Answer accepted by question author
  1. Andy David - MVP 159.7K Reputation points MVP Volunteer Moderator
    2023-01-03T12:44:00.703+00:00
    1. Anonymous is needed because the messages sent from external mail servers to your mail server are not authenticated. If you disable that, then no one externally can send messages to your mail server.
    2. If you want to receive mail directly from the internet to the your Exchange server, you have to allow anonymous for all connections, otherwise you would need to set you mx record to a 3rd party or Edge Server that receives mail from the internet , then set the receive connect on Exchange to only receive mail from that Edge server
    3. You combat phishing with quality 3rd party anti-spam/anti-malware. You can use a transport rule but thats not the best way to do that

    If you are in hybrid, then the recommendation is that allow mail go inbound and outbound through Office 365 and you do not not allow any direct access to the Exchange Server except from Exchange Online. You can control this with firewall rules

    https://learn.microsoft.com/en-us/exchange/transport-routing

    https://learn.microsoft.com/en-us/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide

    275741-image.png

    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Yozuke Hizawa 41 Reputation points
    2023-01-04T01:20:40.887+00:00

    Hi Andy,

    Thanks for your answer,
    So we just need to add another anonymous receive connector from my 3rd party Mail Gateway and O365 Connection IP List, and then disable permission anonymous users on Default Frontend of Exchange ?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.